Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.

A botnet that redirected clicks from millions of PCs has been shut down by Microsoft and Symantec, at least for the moment. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn't intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company's headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. "These servers were command and control servers and were also absorbing the malicious traffic the botnet was creating," said Vikram Thakur, principal security response manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft's general counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. "The malware was morphing back and forth, so it made it difficult to identify the targets," he said. But when the botnet stabilized a few months ago, "it offered a window of opportunity to go after them. The legal portion took about two months."

Based on forensic evidence collected from infected computers by Symantec and Microsoft, there have been several generations of Bamital, with activity dating back at least three years. Early variants of the malware attacked users' Web browsers with HTML injection. "They injected an iframe into every page," Thakur said, "so whatever page loaded also loaded content from the bad guys."

In later variants of Bamital, the malware simply redirected any click on a search page to the botnet's own servers, which in turn used HTML redirects to feed the victims' traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website—and not the one the user expected.

Because of the nature of Bamital, Microsoft is now in a position that's different from some of its previous botnet takedowns—it has a direct line to victims of the malware. "One of things we're doing a little differently in this case is we're doing direct victim notification," Boscovich said. Users with systems infected by Bamital will now be redirected to a Microsoft webpage offering tools to help remove the Bamital malware—as well as any other malware that's out there.

"There are AV signatures out there for this malware already," Boscovich said. "They may have an OS that's unpatched or antivirus software that's outdated. We're taking control of the command and control network so that every time someone types in a search query, they're going to get redirected to a page directly by Microsoft."

Thakur said that the Bamital malware was initially delivered by a combination of methods, including in packages over peer-to-peer filesharing networks disguised as other content. But the majority of systems infected were the victim of "driveby downloads" from websites configured with malicious software intended to exploit browser security flaws. "We have evidence of [the botnet operators] polluting search engine results for certain search terms with links to servers with exploits," he said.

As new variants of the botnet were developed, the operators made efforts to "upgrade" systems they had already infected. "But along the way they seemed to have left behind a number of people," Thakur said. The older servers that had been used with previous versions of the malware appear to have been abandoned as well.

In 2011, Microsoft and Symantec were able to monitor the traffic going to one of the botnet's servers. "We got back data that showed that 3 million clicks were being hijacked by that server on a daily basis," Thakur said. Based on a conservative estimate of a payment for one-tenth of a percent of the advertising value for each click, the companies determined the fraud ring was pulling in over $1 million a year from advertising networks. "And it could have been 2 or 3 times that much," he said.

The advertising networks connected to Bamital themselves may be completely fraudulent. They acted as clearinghouses for the traffic and resold it to other, legitimate advertising networks and affiliate programs. "Bamital went through several ad networks before it even displayed content," Thakur said. "It was super convoluted."

Microsoft and Symantec are hoping the data obtained through the seizure of the server in New Jersey will help them get a better understanding of the underground ecosystem of advertising networks that drives botnets like Bamital. But it's too early to tell if it will help catch the actual perpetrators. "We still have to go through the evidence," Boscovich said, but he noted that Microsoft had some success in the past in identifying botnet operators, as it did with Kelihos.

65 Reader Comments

"the malware simply redirected any click on a search page to the botnet's own servers, which in turn used HTML redirects to feed the victims' traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website"

"Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet"

On the one hand, this sounds like it's a good thing. On the other hand, I don't have much tolerance anymore for corporations and federal law enforcement working hand-in-hand in this fashion.... I take it the Marshals Service doesn't have an IT wing?

"Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet"

On the one hand, this sounds like it's a good thing. On the other hand, I don't have much tolerance anymore for corporations and federal law enforcement working hand-in-hand in this fashion.... I take it the Marshals Service doesn't have an IT wing?

Yes, you're absolutely correct, because we should just let the government handle that job right?

All that to make a million bucks a year? Seems like a lot of work for a small pay off.

Now imagine you live in a particularly poor country, as many computer criminals do. Lacking proper economic outlets for their skills, they realize they can skim relatively small amounts of money off people in other countries at low personal risk, and be rich by local standards.

I have to say, I analyze tons of infected computers and I've never seen this malware. Anyone else? It's Tracur that's the most common search hijacker. TDSS was the most common click fraud trojan, now seemingly MIA.

All that to make a million bucks a year? Seems like a lot of work for a small pay off.

Is that you Mr. Buffett? That may not be much money for you, but assuming they were busting ass, and putting 12 hours per day of work into the scheme(unlikely), that would be a significant pay off for us serfs, even if we had to split it with a couple people.

I don't understand how is it that malware has taken such a stronghold on some systems.. If i remember correctly, my pc getting infected was during the IE + WinXP no service pack days. Since the past many years I haven't even seen my AV flag anything other than when i use a friend's flash drive, which i already expect it to do each time. Not to mention i had been using Windows 7 without any real time AV for quite some time and still managed to stay clean.I guess it comes down to using unpatched and old software coupled with exploitable code in third party applications, not to mention the apparently free software obtained via p2p..

We've been in the business for about forty years. We post some facts, and immediately we receive 'thumbs' down. We can just imagine the intelligence that abounds here. You are pretty much on the money Rob.

I notice no details regarding search redirection (none on the original MS article either). Was it the search bar in IE? What version(s)? Was it only Bing searches? Was it all searches from any web-based search engine?

We've been in the business for about forty years. We post some facts, and immediately we receive 'thumbs' down. We can just imagine the intelligence that abounds here. You are pretty much on the money Rob.

We've been in the business for about forty years. We post some facts, and immediately we receive 'thumbs' down. We can just imagine the intelligence that abounds here. You are pretty much on the money Rob.

15 ¶ Drink waters out of thine own cistern, and running waters out of thine own well.

Wow, Old Testament, huh? Fire and brimstone, cats and dogs living together, that kind of thing? Must have been tough rooting out those punchcard viruses when you're trying to avoid being turned into a pillar of salt or whatever.

The chances are good that the victims, when redirected to the Microsoft remedy page, will assume they were being attacked by malware that was trying to fool them into running a fake AV scan. Irony!

Good point.I know I would and I am in the IT security business. I would be running every malware scanner I trusted first before trusting that if ever. Unless I read it first on one my many tech news sites I visit, like ARS or Sophos, or THN

The chances are good that the victims, when redirected to the Microsoft remedy page, will assume they were being attacked by malware that was trying to fool them into running a fake AV scan. Irony!

Good point.I know I would and I am in the IT security business. I would be running every malware scanner I trusted first before trusting that if ever. Unless I read it first on one my many tech news sites I visit, like ARS or Sophos, or THN

That may not matter though. If these people don't know they're infected anything that leads them to investigate should be a good thing. The types that would be suspicious of that remedy page would know enough to run their own scans (and probably wouldn't be infected in the first place). Anyone else would probably just follow the directions on the page. Either way, since the article said signatures have been out there for a while it should be detected and cleaned.

We've been in the business for about forty years. We post some facts, and immediately we receive 'thumbs' down. We can just imagine the intelligence that abounds here. You are pretty much on the money Rob.

What facts did you post? Am I not seeing an earlier comment of yours that was deleted? Because I can't even parse your initial comment into a thought that makes sense given the context of the article. I don't know about everyone else, but I down-voted your first post because of that, and every post since then because they were just bitching about being down-voted (or weird, unrelated scripture).

Microsoft took ownership of a few relevant ip addresses in an attempt to neutralize the botnet. The criminals have made a ton of money, learned how to improve the stealth of their operation and are most likely at work preparing the next attack.

When does this end?

Shouldn't it be part of the solution putting those people in a position that makes it really difficult for them to launch new attacks?

I suspected something like this.Over the last 2 weeks, the number of received spam emails in my junk mail folder had decreased from over 600/week to just 100/week.I am running my own mail server, so I do all the filtering myself, using Procmail and SpamAssassin.

The chances are good that the victims, when redirected to the Microsoft remedy page, will assume they were being attacked by malware that was trying to fool them into running a fake AV scan. Irony!

That's what I'm wondering too. Is there a way to see the redirected page (without getting myself infected)? I'm especially interested in knowing what's under the "How can I trust this site?" link.

I tried to visit the address shown in the screen shot from the article, in my browser. (You know - for science! And insomnia, but never mind that now.) It doesn't work, so I couldn't learn what those links do. Not sure how that works. The image isn't credited; it might be a mock-up or some such. Perhaps Sean could enlighten us.

Off topic: show

malwarenotice.microsoft.com (the URI from the article's image) currently resolves to an IPv4 address (199.2.137.137) with whois records indicating Microsoft control. It responds to pings but serves no pages via https (443) or http (80).

Microsoft took ownership of a few relevant ip addresses in an attempt to neutralize the botnet. The criminals have made a ton of money, learned how to improve the stealth of their operation and are most likely at work preparing the next attack.

When does this end?

Shouldn't it be part of the solution putting those people in a position that makes it really difficult for them to launch new attacks?

Of course catching the guys behind the botnet would be the optimal outcome, and that may still happen depending on what sort of identifying information the authorities can lift off the confiscated CC servers, but even if they don't gaining control of the botnet is in itself a good thing.

Also, one has to appreciate the extraordinary difficulty in catching such hackers. I'm not a hacker and I haven't worked in IT for a few years now, but in my mind it would go something like this:

Imagine a CC server that was leased using stolen credit card information, so you can't identify the hacker by seeing who paid for it. The server is configured not to log connections on its management network interface. The management network is accessed via some kind of encrypted tunnel or perhaps through a darknet, making it difficult to trace the management connections back to a source. Even if you somehow are to track those connections back, the source is likely not even in the same country as the leased server... all you would get is some webcafe or open wifi network in Eastern Europe, Africa or Pakistan or wherever.

If the hackers have covered their bases, the only real way to go after them is following the money trail. The advertisers paid a million dollars, and this money would have to go somewhere, but then you're faced with other difficulties. As the article stated, there were several "illegitimate" advertising companies involved, who sold this traffic to their "semi-legitimate" colleagues, so unless these illegitimate companies have kept books and records of where that money went, you'll just be facing another dead end. And we haven't even begun mentioning all the jurisdictional issues that would arise if you want to access the books and records of a company in a country that is not necessarily sympathetic to your plight, nor the issues that would arise if you actually identified the hacker and wanted to prosecute him.

The long and the short of it is that these aren't kids pointing LOIC at Sony. These are highly tech-savvy criminals in countries that have very limited capability in fighting that type of crime.

How did the Microsoft Corporation get the power to act as law enforcement? That's more scary than the botnet. Can the government delegate law enforcement to corporations? Can corporations show up and do things to private property? Where does this stop?

TheArticleThatSomeOfYouDidNotRead wrote:

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet.

We've been in the business for about forty years. We post some facts, and immediately we receive 'thumbs' down. We can just imagine the intelligence that abounds here. You are pretty much on the money Rob.

Now there's a story; what was the malware industry like in 1973?

There wasn't malware as we know it today. A fair amount of phone hacking/phreaking though. Computer security was mostly on the honor system, since the numbers of people using them was fairly small and easy to sort out who was doing what.

How did the Microsoft Corporation get the power to act as law enforcement? That's more scary than the botnet. Can the government delegate law enforcement to corporations? Can corporations show up and do things to private property? Where does this stop?

TheArticleThatSomeOfYouDidNotRead wrote:

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet.

Microsoft took ownership of a few relevant ip addresses in an attempt to neutralize the botnet. The criminals have made a ton of money, learned how to improve the stealth of their operation and are most likely at work preparing the next attack.

When does this end?

Shouldn't it be part of the solution putting those people in a position that makes it really difficult for them to launch new attacks?

It would be the ideal solution but catching the actual people behind it can be a lot more difficult and take years. It may or may not happen. Taking the botnet off line, even for some time only, is perfectly acceptable at this point.

The chances are good that the victims, when redirected to the Microsoft remedy page, will assume they were being attacked by malware that was trying to fool them into running a fake AV scan. Irony!

That's what I'm wondering too. Is there a way to see the redirected page (without getting myself infected)? I'm especially interested in knowing what's under the "How can I trust this site?" link.

I assume it first mentions the site's EV certificate (hence the green address bar with 'Microsoft Corporation' on the right), and/or that they don't really have to trust the page, just go to Windows Update and grab the latest malware removal tool.

My point is, why do federal marshals and the courts need the Microsoft Corporation to be involved with criminal cases? Shouldn't courts be independent of corporations? I wonder where it will stop. Will the MPAA and RIAA be used by courts to enforce copyright law? Will courts allow anyone to make DMCA claims that stifle free speech and send federal marshals? If not, why does MS get to enforce laws on behalf of the courts and other corporations don't? This is a murky legal area. No one really knows what MS is doing. What if MS accuses a Linux company of running a botnet, and gets federal marshals to go in and help it confiscate private property? What safeguards are there to keep MS from planting evidence? Sunlight needs to be shined on this new development in legal policy where a corporation is allowed to work with law enforcement officials in a criminal case.